Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello
My Linux system (RedHat 6.2) has been hacked.I had reports from ISP that many networks were receiving many illegal probes from my system.I ran ps and found the linsniffer process running in my process list.I have killed the process.Can anyone tell me how to eradicate all the process completely from my system
I'm sorry to hear this. For now: get the box off the net. Even after investigating what was compromised etc, etc there should be no other clear answer than to save your *human readable data* and rebuild your box from scratch, for the simple reason you can't possibly trust the system anymore. More info: CERT Steps for Recovering from a UNIX or NT System Compromise.
don't destroy your box yet. get a good suite of forensics tools and figure out how they got in. Then you can safeguard against that same attack. Just rebuilding is pointless unless you learn from it.
I suggest the coroners toolkit, but any forensics toolkit should suffice.
post how they got in if it's really unique so we all can learn.
First let me tell u my setup,my Linux machine is in a network of 80 machines which also has a router.For business reasons any requests coming on Port 80 would be redirected to the Linux machine,so within the network the machine can be accessed by its Ethernet ip of my machine,people outside the network will access using a global ip.After my system was hacked i found 2 files in the network-scripts file ifcfg-eth0(normal file) and
ifcfg-eth0:0 this file had the global ip as its content.Now i deleted the ifcfg-eth0:0 but i still i was able to locate it.Know i restarted my system and i found that eth0 was enabled in prosmicous mode.Then i downed eth0:0 using ifconfig then this ifcfg-eth0:0 could be seen nowhere.
Dear orgcandman
Can u give the details of the forsenic tool kit where could i find this????
forensics toolkits just analyse your system for attacks, and show you the contents of really important files. they allow you to go in and read raw sectors off the disk and look at all of the access logs on a *nix machine. of course, unless you have auditing software (like tripwire or some other file modification detector) the forensics kits aren't gonna be too much help. However, getting chkrootkit and a forensics kit should help you diagnose exactly how your system was attacked.
Not exactly right. TCT will only show you what's there, but you'll have to do the analysis yourself based on your knowledge of for instance use of MAC-times, snippets of code you find, running strings on binaries, the state of the system, your knowledge of blackhat kinda stuff etc, etc. Btw, TCT requires practicing with it *beforehand*.
File integrity scanners like Aide, Tripwire, Samhain and the like will only be usefull if you kept it current, and if the databases where kept on readonly media (same for the rpm database).
Chkrootkit is a really invaluable tool, but is useless if your system is (suspected) compromised: compile it elsewhere and use static binaries, or better, run it off the Biatchux CD (sourceforge) which has chkrootkit on it (0.35 IIRC), TCT *and* Perl.
Again, if you can't *trust* (keep control) your system, and you've had good indications of that, (make a copy with "dd" of the disk to another drive/host for later examination) and consider reinstalling from scratch.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.